[c-nsp] Sup720 CoPP, limits on CPU performance
Ross Vandegrift
ross at kallisti.us
Tue Mar 23 08:15:56 EDT 2010
On Mon, Mar 22, 2010 at 12:45:05PM -0700, Mack McBride wrote:
> Dropping all remaining IP leads to some odd behavior since traffic
> not destined for the router can get process switched, that traffic
> would get dropped. It is better to drop unsolicited traffic aimed
> at router interface ips. And rate limit the remaining traffic to
> some reasonable level to allow process switched traffic to get
> through.
People always say this, but I wasn't able to get this working. I
implemented CoPP on a pair of misbehaving 6500s with the express
intention of breaking most process switching.
CoPP is generally working fine. My policy is similar to the strategy
described by the previous poster (permit routing protocols, permit a
few management IPs, permit and ratelimit ICMP, drop everything else).
All of this works as advertised when the destination address of a
packet is the router. But the boxes will still punt and software
switch transit traffic.
Ross
--
Ross Vandegrift
ross at kallisti.us
"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100323/4008f5c4/attachment.bin>
More information about the cisco-nsp
mailing list